Neural networks, with their ability to learn behavioural patterns from arbitrary data, seem like a natural way to deal with intrusion detection. There are many academic papers on the topic which report good performance and an even better potential.

The question is, are there any real-life implementations? Is there a single intelligent firewall, or a firewall module, or some other sort of an intelligent intrusion detector that actually uses NNs?

The closest thing I found is this: roberto.perdisci.com/projects/mcpad, but it seems to be an academic project - I can't tell how usable the thing is. Got to try it out. And yet... I like the idea of getting AI involved.
–
anna-earwenAug 30 '12 at 16:46

NN is not good way in modelling. It's a very good tool for kids to play with, but for a serious solution you need different methods, which are using MULTIPLE methods, and not just NN. It's like shortcut, has potential in the idea of modelling, but the output is useless, as NN is far too limited in it's ability due to the fact, that to model behaviour you would need to use at leat 8x NN and connect them, which is not NN any more, because not all parts have to be, and cannot be processed as NN.
–
Andrew SmithAug 30 '12 at 19:08

It's like you would be inspecting a cable as telephony solution. Cable is not enough. You can drag cable and therefore send a message, but it's not a real, usable solution. If there is anything with NN, it's just marketing bauble, and probably not good.
–
Andrew SmithAug 30 '12 at 19:08

1

You're not being objective, Andrew. Obviously, a NN with 3 inputs and an output is just as likely to "work" as a single neuron is likely to approximate the XOR function. However, the field of NN research is vast and versatile, and - surprise! - it includes a thing called NN ensemble (I am now referring to your idea of interconnecting NNs). I know there is no out-of-the-box solution, for the mere reason that there never is an out-of-the-box solution, whenever the problem to be solved is harder than multiplying 2 by 2. But I am a researcher. I am looking for problems which haven't been solved :)
–
anna-earwenAug 30 '12 at 19:28

5 Answers
5

There has been an enormous amount of research into using machine learning techniques for anomaly detection, i.e., to scan network traffic and detect intrusions. However, this research has had very little practical impact. These techniques have seen little deployment and are rarely used in practice.

Why not? There are a number of reasons.

First, these systems tend to have a high false alarm rate. They often raise multiple spurious alarms per day (sometimes even dozens per day), which takes up system administrators' time. This is a fundamental challenge for anomaly detection systems, because they suffer from the "needle in a haystack" problem: billions of packets traverse your network every day, and almost all of them are benign. If the algorithm has a false alarm rate as low as 0.1%, that's still thousands of packets being spuriously flagged. To be practical, the anomaly detection algorithm needs to have an exceptionally low false alarm rate, which is very challenging to do well -- for the same reason that it is very difficult to detect terrorists in airport screening, without introducing a lot of false alarms that cause everyday folks to have to be searched.

Second, anomaly detection systems tend to be not very robust. They focus on detect unusual or novel patterns in your network traffic: anything out of the ordinary. The consequence is that, any time something changes about your network, no matter how benign, they tend to raise alarms. Did your website just get slashdotted? Blam, spurious alarms go crazy. Did some user install a new application that plays novel NAT traversal games? Blam, here come the spurious alarms. Did someone just install IPv6 for the first time? Blam. Someone connect a new mobile phone with a wonky TCP/IP stack, that sends out broken packets? Blam. You get the idea.

If you want to read more about the challenges of innovation in this area, I would recommend the following research papers:

Excerpt: "compared with other intrusion detection approaches, machine learning is rarely employed in operational “real world” settings. [...] It can be surprising at first to realize that despite extensive academic research efforts on anomaly detection, the success of such systems in operational environments has been very limited."

Thanks! I do my humble bit of research in ML, I know its limitations ;) I guess it will be correct to assume the intrusion detection problem hasn't been solved with ML techniques yet. Interesting.
–
anna-earwenAug 30 '12 at 16:56

I doubt you can find any commercial product since this domain is highly commercialized and their is almost no open source implementation available and most of the work is done in is closed ecosystem. There has been a discussion on this topic you can find at link
The only open source tool i found was OSSEC it is a Host-Based Intrusion Detection and there is a recent research on integrating it with AI techniques and there is also a book on it you can find interesting.

Awesome! Thanks a lot. I'm just trying to figure out how much of a trodden ground the idea itself is. Apparently, the idea is old, but a stable, universally accepted solution is still pending. Now, taking into account the recent breakthrough in.... Wait, I shouldn't have said that :P
–
anna-earwenAug 30 '12 at 18:41

Thanks for your answer. I asked the question on this forum because I wanted answers from people proficient in security (not in AI). I think I got what I wanted. The rest is up to me :)
–
anna-earwenAug 30 '12 at 19:34